diff --git a/sys/netipsec/ipsec_netbsd.c b/sys/netipsec/ipsec_netbsd.c index 7aa3626f6bae..46753da0fb0f 100644 --- a/sys/netipsec/ipsec_netbsd.c +++ b/sys/netipsec/ipsec_netbsd.c @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_netbsd.c,v 1.10 2004/05/07 00:55:14 jonathan Exp $ */ +/* $NetBSD: ipsec_netbsd.c,v 1.11 2004/07/17 16:36:39 atatat Exp $ */ /* $KAME: esp_input.c,v 1.60 2001/09/04 08:43:19 itojun Exp $ */ /* $KAME: ah_input.c,v 1.64 2001/09/04 08:43:19 itojun Exp $ */ @@ -32,7 +32,7 @@ */ #include -__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.10 2004/05/07 00:55:14 jonathan Exp $"); +__KERNEL_RCSID(0, "$NetBSD: ipsec_netbsd.c,v 1.11 2004/07/17 16:36:39 atatat Exp $"); #include "opt_inet.h" #include "opt_ipsec.h" @@ -362,6 +362,8 @@ sysctl_fast_ipsec(SYSCTLFN_ARGS) /* XXX will need a different oid at parent */ SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree setup") { + struct sysctlnode *_ipsec; + int ipproto_ipsec; sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT, @@ -374,20 +376,63 @@ SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree se NULL, 0, NULL, 0, CTL_NET, PF_INET, CTL_EOL); + /* + * in numerical order: + * + * net.inet.ipip: CTL_NET.PF_INET.IPPROTO_IPIP + * net.inet.esp: CTL_NET.PF_INET.IPPROTO_ESP + * net.inet.ah: CTL_NET.PF_INET.IPPROTO_AH + * net.inet.ipcomp: CTL_NET.PF_INET.IPPROTO_IPCOMP + * net.inet.ipsec: CTL_NET.PF_INET.CTL_CREATE + * + * this creates separate trees by name, but maintains that the + * ipsec name leads to all the old leaves. + */ + + /* create net.inet.ipip */ + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT, + CTLTYPE_NODE, "ipip", NULL, + NULL, 0, NULL, 0, + CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READONLY, + CTLTYPE_STRUCT, "ipip_stats", NULL, + NULL, 0, &ipipstat, sizeof(ipipstat), + CTL_NET, PF_INET, IPPROTO_IPIP, + CTL_CREATE, CTL_EOL); + + /* create net.inet.esp subtree under IPPROTO_ESP */ + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT, + CTLTYPE_NODE, "esp", NULL, + NULL, 0, NULL, 0, + CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, + CTLTYPE_INT, "trans_deflev", NULL, + sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, + CTL_NET, PF_INET, IPPROTO_ESP, + IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, + CTLTYPE_INT, "net_deflev", NULL, + sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, + CTL_NET, PF_INET, IPPROTO_ESP, + IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READONLY, + CTLTYPE_STRUCT, "esp_stats", NULL, + NULL, 0, &espstat, sizeof(espstat), + CTL_NET, PF_INET, IPPROTO_ESP, + CTL_CREATE, CTL_EOL); + /* create net.inet.ah subtree under IPPROTO_AH */ sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT, CTLTYPE_NODE, "ah", NULL, NULL, 0, NULL, 0, CTL_NET, PF_INET, IPPROTO_AH, CTL_EOL); - - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READONLY, - CTLTYPE_STRUCT, "stats", NULL, - NULL, 0, &ahstat, sizeof(ahstat), - CTL_NET, PF_INET, IPPROTO_AH, - IPSECCTL_STATS, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "cleartos", NULL, @@ -404,41 +449,20 @@ SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree se CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "trans_deflev", NULL, sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, - CTL_NET, PF_INET, CTL_IPPROTO_IPSEC, + CTL_NET, PF_INET, IPPROTO_AH, IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "net_deflev", NULL, sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, - CTL_NET, PF_INET, CTL_IPPROTO_IPSEC, + CTL_NET, PF_INET, IPPROTO_AH, IPSECCTL_DEF_AH_NETLEV, CTL_EOL); - - /* create net.inet.esp subtree under IPPROTO_ESP */ - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT, - CTLTYPE_NODE, "esp", NULL, - NULL, 0, NULL, 0, - CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READONLY, - CTLTYPE_STRUCT, "stats", NULL, - NULL, 0, &espstat, sizeof(espstat), - CTL_NET, PF_INET, IPPROTO_ESP, - IPSECCTL_STATS, CTL_EOL); - - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "trans_deflev", NULL, - sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, - CTL_NET, PF_INET, IPPROTO_ESP, - IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READWRITE, - CTLTYPE_INT, "net_deflev", NULL, - sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, - CTL_NET, PF_INET, IPPROTO_ESP, - IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); + CTLTYPE_STRUCT, "ah_stats", NULL, + NULL, 0, &ahstat, sizeof(ahstat), + CTL_NET, PF_INET, IPPROTO_AH, + CTL_CREATE, CTL_EOL); /* create net.inet.ipcomp */ sysctl_createv(clog, 0, NULL, NULL, @@ -446,86 +470,91 @@ SYSCTL_SETUP(sysctl_net_inet_fast_ipsec_setup, "sysctl net.inet.ipsec subtree se CTLTYPE_NODE, "ipcomp", NULL, NULL, 0, NULL, 0, CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READONLY, - CTLTYPE_STRUCT, "stats", NULL, + CTLTYPE_STRUCT, "ipcomp_stats", NULL, NULL, 0, &ipcompstat, sizeof(ipcompstat), CTL_NET, PF_INET, IPPROTO_IPCOMP, - IPSECCTL_STATS, CTL_EOL); + CTL_CREATE, CTL_EOL); - /* create net.inet.ipip */ - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT, - CTLTYPE_NODE, "ipip", NULL, - NULL, 0, NULL, 0, - CTL_NET, PF_INET, IPPROTO_IPIP, CTL_EOL); - - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READONLY, - CTLTYPE_STRUCT, "stats", NULL, - NULL, 0, &ipipstat, sizeof(ipipstat), - CTL_NET, PF_INET, IPPROTO_IPIP, - IPSECCTL_STATS, CTL_EOL); - - - /* create net.inet.ipsec subtree under CTL_IPPROTO_IPSEC */ - sysctl_createv(clog, 0, NULL, NULL, + /* create net.inet.ipsec subtree under dynamic oid */ + sysctl_createv(clog, 0, NULL, &_ipsec, CTLFLAG_PERMANENT, CTLTYPE_NODE, "ipsec", NULL, NULL, 0, NULL, 0, - CTL_NET, PF_INET, CTL_IPPROTO_IPSEC, CTL_EOL); - - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_READONLY, - CTLTYPE_STRUCT, "stats", NULL, - NULL, 0, &ipsecstat, sizeof(ipsecstat), - CTL_NET, PF_INET, CTL_IPPROTO_IPSEC, - IPSECCTL_STATS, CTL_EOL); + CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); + ipproto_ipsec = (_ipsec != NULL) ? _ipsec->sysctl_num : 0; sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "def_policy", NULL, sysctl_fast_ipsec, 0, &ip4_def_policy.policy, 0, - CTL_NET, PF_INET, CTL_IPPROTO_IPSEC, + CTL_NET, PF_INET, ipproto_ipsec, IPSECCTL_DEF_POLICY, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, + CTLTYPE_INT, "esp_trans_deflev", NULL, + sysctl_fast_ipsec, 0, &ip4_esp_trans_deflev, 0, + CTL_NET, PF_INET, ipproto_ipsec, + IPSECCTL_DEF_ESP_TRANSLEV, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, + CTLTYPE_INT, "esp_net_deflev", NULL, + sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, + CTL_NET, PF_INET, IPPROTO_ESP, + IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, + CTLTYPE_INT, "esp_net_deflev", NULL, + sysctl_fast_ipsec, 0, &ip4_esp_net_deflev, 0, + CTL_NET, PF_INET, ipproto_ipsec, + IPSECCTL_DEF_ESP_NETLEV, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, + CTLTYPE_INT, "ah_trans_deflev", NULL, + sysctl_fast_ipsec, 0, &ip4_ah_trans_deflev, 0, + CTL_NET, PF_INET, ipproto_ipsec, + IPSECCTL_DEF_AH_TRANSLEV, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, + CTLTYPE_INT, "ah_net_deflev", NULL, + sysctl_fast_ipsec, 0, &ip4_ah_net_deflev, 0, + CTL_NET, PF_INET, ipproto_ipsec, + IPSECCTL_DEF_AH_NETLEV, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, + CTLTYPE_INT, "ah_cleartos", NULL, + NULL, 0, &/*ip4_*/ah_cleartos, 0, + CTL_NET, PF_INET, ipproto_ipsec, + IPSECCTL_AH_CLEARTOS, CTL_EOL); + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, + CTLTYPE_INT, "ah_offsetmask", NULL, + NULL, 0, &ip4_ah_offsetmask, 0, + CTL_NET, PF_INET, ipproto_ipsec, + IPSECCTL_AH_OFFSETMASK, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "dfbit", NULL, NULL, 0, &ip4_ipsec_dfbit, 0, - CTL_NET, PF_INET, CTL_IPPROTO_IPSEC, + CTL_NET, PF_INET, ipproto_ipsec, IPSECCTL_DFBIT, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "ecn", NULL, NULL, 0, &ip4_ipsec_ecn, 0, - CTL_NET, PF_INET, CTL_IPPROTO_IPSEC, + CTL_NET, PF_INET, ipproto_ipsec, IPSECCTL_ECN, CTL_EOL); sysctl_createv(clog, 0, NULL, NULL, CTLFLAG_PERMANENT|CTLFLAG_READWRITE, CTLTYPE_INT, "debug", NULL, NULL, 0, &ipsec_debug, 0, - CTL_NET, PF_INET, CTL_IPPROTO_IPSEC, + CTL_NET, PF_INET, ipproto_ipsec, IPSECCTL_DEBUG, CTL_EOL); - -#if 0 - /* - * "aliases" for the fast ipsec subtree - */ sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_ALIAS, - CTLTYPE_NODE, "fast_esp", NULL, - NULL, IPPROTO_AH, NULL, 0, - CTL_NET, PF_INET, IPPROTO_ESP, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_ALIAS, - CTLTYPE_NODE, "fast_ipcomp", NULL, - NULL, IPPROTO_AH, NULL, 0, - CTL_NET, PF_INET, IPPROTO_IPCOMP, CTL_EOL); - sysctl_createv(clog, 0, NULL, NULL, - CTLFLAG_PERMANENT|CTLFLAG_ALIAS, - CTLTYPE_NODE, "fast_ah", NULL, - NULL, IPPROTO_AH, NULL, 0, - CTL_NET, PF_INET, CTL_CREATE, CTL_EOL); -#endif + CTLFLAG_PERMANENT|CTLFLAG_READONLY, + CTLTYPE_STRUCT, "ipsecstats", NULL, + NULL, 0, &ipsecstat, sizeof(ipsecstat), + CTL_NET, PF_INET, ipproto_ipsec, + CTL_CREATE, CTL_EOL); } diff --git a/sys/netipsec/ipsec_var.h b/sys/netipsec/ipsec_var.h index dbcaf5c4613a..a3566bb6ce67 100644 --- a/sys/netipsec/ipsec_var.h +++ b/sys/netipsec/ipsec_var.h @@ -1,4 +1,4 @@ -/* $NetBSD: ipsec_var.h,v 1.1 2004/05/07 00:55:14 jonathan Exp $ */ +/* $NetBSD: ipsec_var.h,v 1.2 2004/07/17 16:36:39 atatat Exp $ */ /* $FreeBSD: src/sys/netipsec/ipsec.h,v 1.2.4.2 2004/02/14 22:23:23 bms Exp $ */ /*- @@ -77,7 +77,7 @@ struct newipsecstat { /* * Names for IPsec & Key sysctl objects */ -#define IPSECCTL_STATS 1 /* stats */ +#define IPSECCTL_STATS 1 /* KAME compat stats */ #define IPSECCTL_DEF_POLICY 2 #define IPSECCTL_DEF_ESP_TRANSLEV 3 /* int; ESP transport mode */ #define IPSECCTL_DEF_ESP_NETLEV 4 /* int; ESP tunnel mode */ diff --git a/usr.bin/netstat/fast_ipsec.c b/usr.bin/netstat/fast_ipsec.c index d631969dc9fd..cc2d11becb4b 100644 --- a/usr.bin/netstat/fast_ipsec.c +++ b/usr.bin/netstat/fast_ipsec.c @@ -1,4 +1,4 @@ -/* $NetBSD: fast_ipsec.c,v 1.5 2004/06/27 01:10:53 jonathan Exp $ */ +/* $NetBSD: fast_ipsec.c,v 1.6 2004/07/17 16:36:39 atatat Exp $ */ /* $FreeBSD: src/tools/tools/crypto/ipsecstats.c,v 1.1.4.1 2003/06/03 00:13:13 sam Exp $ */ /*- @@ -33,7 +33,7 @@ #include #ifndef lint #ifdef __NetBSD__ -__RCSID("$NetBSD: fast_ipsec.c,v 1.5 2004/06/27 01:10:53 jonathan Exp $"); +__RCSID("$NetBSD: fast_ipsec.c,v 1.6 2004/07/17 16:36:39 atatat Exp $"); #endif #endif /* not lint*/ @@ -57,11 +57,32 @@ __RCSID("$NetBSD: fast_ipsec.c,v 1.5 2004/06/27 01:10:53 jonathan Exp $"); #include #include +#include #include #include #include "netstat.h" +/* + * Cache the check to see if we have fast_ipsec so that we don't + * have to go to the kernel repeatedly. + */ +static int +have_fast_ipsec(void) +{ + static int haveit = -1; + + if (haveit == -1) { + if (sysctlbyname("net.inet.ipsec.ipsecstats", NULL, NULL, + NULL, 0) == -1) + haveit = 0; + else + haveit = 1; + } + + return (haveit); +} + /* * Dispatch between fetching and printing (KAME) IPsec statistics, * and FAST_IPSEC statistics, so the rest of netstat need not know @@ -70,12 +91,8 @@ __RCSID("$NetBSD: fast_ipsec.c,v 1.5 2004/06/27 01:10:53 jonathan Exp $"); void ipsec_switch(u_long off, char * name) { - int status; - size_t slen; - - slen = 0; - status = sysctlbyname("net.inet.ipsec.stats", NULL, &slen, NULL, 0); - if (status == 0 && slen == sizeof(struct newipsecstat)) + + if (have_fast_ipsec()) return fast_ipsec_stats(off, name); return ipsec_stats(off, name); @@ -156,26 +173,34 @@ fast_ipsec_stats(u_long off, char *name) memset(&ipips, 0, sizeof(ipips)); /* silence check */ - status = sysctlbyname("net.inet.ipsec.stats", NULL, &slen, NULL, 0); - if (status != 0) - return; + if (!have_fast_ipsec()) + return; slen = sizeof(ipsecstats); - status = sysctlbyname("net.inet.ipsec.stats", &ipsecstats, &slen, + status = sysctlbyname("net.inet.ipsec.ipsecstats", &ipsecstats, &slen, NULL, 0); - if (status < 0) - err(1, "net.inet.ipsec.stats"); + if (status < 0 && errno != ENOMEM) + err(1, "net.inet.ipsec.ipsecstats"); slen = sizeof (ahstats); - if (sysctlbyname("net.inet.ah.stats", &ahstats, &slen, NULL, 0) < 0) - err(1, "net.inet.ah.stats"); + status = sysctlbyname("net.inet.ah.ah_stats", &ahstats, &slen, NULL, 0); + if (status < 0 && errno != ENOMEM) + err(1, "net.inet.ah.ah_stats"); + slen = sizeof (espstats); - if (sysctlbyname("net.inet.esp.stats", &espstats, &slen, NULL, 0) < 0) - err(1, "net.inet.esp.stats"); - if (sysctlbyname("net.inet.ipcomp.stats", &ipcs, &slen, NULL, 0) < 0) - err(1, "net.inet.ipcomp.stats"); - if (sysctlbyname("net.inet.ipip.stats", &ipips, &slen, NULL, 0) < 0) - err(1, "net.inet.ipip.stats"); + status = sysctlbyname("net.inet.esp.esp_stats", &espstats, &slen, NULL, 0); + if (status < 0 && errno != ENOMEM) + err(1, "net.inet.esp.esp_stats"); + + slen = sizeof(ipcs); + status = sysctlbyname("net.inet.ipcomp.ipcomp_stats", &ipcs, &slen, NULL, 0); + if (status < 0 && errno != ENOMEM) + err(1, "net.inet.ipcomp.ipcomp_stats"); + + slen = sizeof(ipips); + status = sysctlbyname("net.inet.ipip.ipip_stats", &ipips, &slen, NULL, 0); + if (status < 0 && errno != ENOMEM) + err(1, "net.inet.ipip.ipip_stats"); printf("(Fast) IPsec:\n"); @@ -269,7 +294,7 @@ fast_ipsec_stats(u_long off, char *name) IPIPSTAT(ipips.ipips_family, "protocol family mismatched"); IPIPSTAT(ipips.ipips_unspec, "missing tunnel-endpoint address"); IPIPSTAT(ipips.ipips_ibytes, "input bytes received"); - IPIPSTAT(ipips.ipips_obytes, "output bytes procesesed"); + IPIPSTAT(ipips.ipips_obytes, "output bytes processed"); #undef IPIPSTAT printf("IPsec ipcomp:\n");